IBM Support

Security Bulletin: April 2015 Java Platform Standard Edition Vulnerabilities in Multiple N series Products

Created by Yi Chen Li on
Published URL:
https://www.ibm.com/support/pages/node/696427
696427

Security Bulletin


Summary

Multiple N series products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 8u45, 7u79 and 6u95 and OpenJDK versions below 1.7.0.79 are susceptible to multiple vulnerabilities, potentially leading to an unauthorized Operating System takeover, a partial denial of service (DOS), an unauthorized read, update, insert or delete access to a subset of Java SE accessible data. These N series Products have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0491
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102329 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0459
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JavaFX related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102328 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0469
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102327 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0458
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 7.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102332 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0460
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102330 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0480
DESCRIPTION:
A directory traversal vulnerability in Oracle Java SE related to the Tools component and the extraction of JAR archive files could allow remote attcker to overwrite files on the system with privileges of another user.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVEID: CVE-2015-0486
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102335 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0488
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Jrockit related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0478
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and JRockit related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0477
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Beans component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0470
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE related to the Hotspot component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102338 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0204
DESCRIPTION:
A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

NS OnCommand Core Package: 5.2, 5.2R1, 5.2.1P1, 5.2.1P2;
NS OnCommand Unified Manager for DataONTAP: 6.1R1;
N series VASA Provider: 1.0, 1.0.1;
SnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4;
SnapManager for SAP: 3.2, 3.3, 3.3.1, 3.4;
Virtual Storage Console for VMware vSphere: 4.2.1, 5.0, 6.0, 6.1;

Remediation/Fixes

For SnapManager for Oracle: the fix exists from microcode version 3.4P2;
For SnapManager for SAP: the fix exists from microcode version 3.4P2;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2;

Please contact IBM support or go to this link to download a supported release. For customers who are using N series VASA Provider, NS OnCommand Unified Manager for DataONTAP or NS OnCommand Core Package, please contact IBM support.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

6 February 2017: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"STQM4Q","label":"Network Attached Storage (NAS)->SnapManager for Oracle"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.3.1;3.3;3.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

ssg1S1009682